Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2022-32224

Published: 05/12/2022 Updated: 08/12/2022
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 0

Vulnerability Summary

A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

activerecord project activerecord

Vendor Advisories

Debian CVElist Bug Report Logs: rails: CVE-2022-32224
Debian Bug report logs - #1016140 rails: CVE-2022-32224 Package: src:rails; Maintainer for src:rails is Debian Ruby Team &lt;pkg-ruby-extras-maintainers@listsaliothdebianorg&gt;; Reported by: Moritz Mühlenhoff &lt;jmm@inutilorg&gt; Date: Wed, 27 Jul 2022 20:57:06 UTC Severity: grave Tags: security Reply or subscribe t ...
Red Hat: Important: Satellite 6.13 Release
Synopsis Important: Satellite 613 Release Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update is now available for Red Hat Satellite 613 The release contains anew version of Satellite and important security fixes ...
Red Hat: Critical: Satellite 6.11.5 Async Security Update
Synopsis Critical: Satellite 6115 Async Security Update Type/Severity Security Advisory: Critical Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic Updated Satellite 611 packages that fixes critical security bugs and severalregular bugs are now available for Red ...
Red Hat: Critical: Satellite 6.12.1 Async Security Update
Synopsis Critical: Satellite 6121 Async Security Update Type/Severity Security Advisory: Critical Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic Updated Satellite 612 packages that fixes critical security bugs and several regular bugs are now available for Red ...

Github Repositories

https://github.com/ooooooo-q/cve-2022-32224-rails

CVE-2022-3222 ActiveRecord シリアライズ 動作確認 discussrubyonrailsorg/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017 apirubyonrailsorg/classes/ActiveRecord/AttributeMethods/Serialization/ClassMethodshtml rails/rails#45584 準備 bundle install bin/rails db:migrate

https://github.com/kastner/rails-serialization-problem

Demo of rails serializtion problem Running the demo Works: BUNDLE_GEMFILE=Gemfile-526 bundle exec ruby ar_playrb -- create_table("comments", {:force=&gt;:cascade}) -&gt; 00049s -- create_table("posts", {:force=&gt;:cascade}) -&gt; 00004s 100 {:background=&gt;"black", :display=&gt;"large"}

References

CWE-502https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8Uhttps://github.com/advisories/GHSA-3hhc-qp5v-9p2jhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016140https://nvd.nist.gov
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
TCPCVE-2024-4577CVE-2024-2695CVE-2024-31870injectionCVE-2024-3813arbitrary codeCVE-2024-27801CVE-2024-30120
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook